April 2006 Critical Patch Update Released
By blogsadmin on Apr 25, 2006
Hello. My name is Darius Wiles and I manage Oracle's Security Alerts
Team. Our focus is to track security vulnerabilities in Oracle
products, to support developers in the production of fixes and to
manage their release to customers.
Since the beginning of
2005, we've been releasing patches for all products on a single day,
once a quarter, as part of our Critical Patch Update process. The OTN
site contains the list of Critical Patch Updates that we have released to date, and information on our security vulnerability fixing process.
The sixth Critical Patch Update was released on 18 April 2006. The details can be found in the advisory, available on OTN, MetaLink and the PeopleSoft / JD Edward's Customer Connection site.
Critical Patch Update contains an improved version of the password
checking utility previously released with the January 2006 Critical
Patch Update. We've renamed it the Oracle Default Password Scanner to
more accurately reflect its purpose: to list default database accounts
that are unlocked (open) and have default passwords. The accompanying
documentation, the Oracle Default Password Scanner User's Guide,
explains how to secure each unlocked default account that has a default
password. Most accounts can simply be locked, but those used by other
Oracle products have different remedial actions to ensure that those
other products can continue to access the database.
recommend use of the Scanner to identify and secure default accounts.
The Scanner is independent from the rest of the Critical Patch Update,
so it is possible to go straight to the Scanner FAQ on MetaLink,
and download it. We encourage the use of the Scanner as part of a wider
review of security using the advice in the security guides linked from
the OTN security page.
John Heimann's team (see blog entry for 17 April 2006),
are managing a program to make it easier to lock down existing default
accounts, avoid the introduction of unnecessary new default accounts,
and otherwise install new releases of products in a hardened
configuration. The specific configuration changes are being phased in
over a series of releases to ease the impact on customers. The tools
and security guides being released now make some of these security
improvements available for use in current products.
realize I've included a lot of information and links in this blog
entry, but it is an indication of the number of security initiatives
and teams involved in improving the security of Oracle products.
There's a lot of great information available - the trick is knowing
where to look!